Malware inside Angry Planes & Noclip Mod

[EddieThePro]

 

 

Okay, so this may sound like an incredibly nooby question, but what's stopping us from just deleting everything in 'Temp'? Are things stored in there important? Surely it should be filled with replaceable files seeing as the folder is quite literally named 'Temporary'? I've got around 3GB of stuff inside that folder and wouldn't mind deleting some of it?

 

Sorry if this is f*cking stupid. I'm usually smarter than this, promise

Some of the files are used by software/programs that are running

 

Cheers, I'll stay safe and avoid it for the time being.

 

Regarding your picture: I think that's fine. Mine consists of 'Administrator - ASPNET - Guest - [My Name]

 

 

Thanks mate! Really appriciate it! Have a wonderful sunday!

 

[Smiley992]

So, i did that net user thing with CMD, and it came up with this. http://sv.tinypic.com/view.php?pic=2nvgkrk&s=8#.VVitRvntnGA

 

Everything is in the picture

Don't worry sir, it's okay the only problem is if it's write another name under your name, the Guest thing is Fine .

Okay, so this may sound like an incredibly nooby question, but what's stopping us from just deleting everything in 'Temp'? Are things stored in there important? Surely it should be filled with replaceable files seeing as the folder is quite literally named 'Temporary'? I've got around 3GB of stuff inside that folder and wouldn't mind deleting some of it?

 

Sorry if this is f*cking stupid. I'm usually smarter than this, promise

Temp folder is like the Trash of the pc Just delete it all and Delete prefetch files as well

 

Don't worry Deleting Temp Does not Delete any thing important Related to your Pc Files or anything else so it's alright

[MarshallRawR]

So, i did that net user thing with CMD, and it came up with this. http://sv.tinypic.com/view.php?pic=2nvgkrk&s=8#.VVitRvntnGA

 

Everything is in the picture

 

Guest is an account you can enable or not if someone wants to use your computer

without a password but with limited privileges. They can't access your files too.

[Eagle1001]

Could someone tell me if it stole files? I really need to know.

[BKnight]

 

So, i did that net user thing with CMD, and it came up with this. http://sv.tinypic.com/view.php?pic=2nvgkrk&s=8#.VVitRvntnGA

 

Everything is in the picture

Don't worry sir, it's okay the only problem is if it's write another name under your name, the Guest thing is Fine .

Okay, so this may sound like an incredibly nooby question, but what's stopping us from just deleting everything in 'Temp'? Are things stored in there important? Surely it should be filled with replaceable files seeing as the folder is quite literally named 'Temporary'? I've got around 3GB of stuff inside that folder and wouldn't mind deleting some of it?

 

Sorry if this is f*cking stupid. I'm usually smarter than this, promise

Temp folder is like the Trash of the pc Just delete it all and Delete prefetch files as well

 

Don't worry Deleting Temp Does not Delete any thing important Related to your Pc Files or anything else so it's alright

 

Yeah, I eventually established this after a quick Google search... Just threw it all in the Recycling Bin.

 

But thanks! I'd recommend it to anyone who is still weary about the virus and any files they could've missed

[sir_cormac_thunderguts]

Probable secuirity fix in Windows 10 (Correct me if i'm not)

If you have Windows 10 (beta), you shouldnt be affected. I had kept my antivirus and firewall off anyways. Hope this helps

 

Here are some images

 

I couldnt find a value in my registry

[Zhuocheng Tan]

Probable secuirity fix in Windows 10 (Correct me if i'm not)

If you have Windows 10 (beta), you shouldnt be affected. I had kept my antivirus and firewall off anyways. Hope this helps

 

Here are some images

 

I couldnt find a value in my registry

i couldnt find it on 8.1

[MarshallRawR]

The value in the registry made the virus start up again at each boot.
Better check your temp folders and quarantine to be safe.

[MPowell]

Well where were these files downloaded from, who hosted them? It is not that hard to put a name on the coward/thief/imbecile who did this...

[bocodamondo]

can anyone help me, i accidentally downloaded the angry plane mod (i dont even own GTA5) when i clicked on it, i was like meh, and just let it there in my Downloads folder as ZIP file. after i found out about this, i immediatly went and deleted the file and cleared my trashcan....does it install the malware when it still a ZIP/RAR file?

 

i tried to scan my PC for a Fade.exe or Init.exe and the only ones with those names i found are a few init files in games like legend of korra, DMC4, resident evil revelations, RE6, bully... but those were all like init,arc or init.bnk ... no init.exe

 

the only "fade" files i found are some fade.nft in bully...thats it. no Fade.exe

 

i scanned my downloads folder with both avira antivirus and it said its clean and im currently scanning it with superantispyware and malwarebytes

 

 

 

.there's also no fade or init in my temp folder

 

i really want to know if there's a chance i get the virus without extracting it out of the ZIP/RAR file. so i can go and change all my passwords.

 

[Igor Bogdanoff]

Nope you have to load into game with asi loader and that asi installed

[MonsieurSamuel]

can anyone help me, i accidentally downloaded the angry plane mod (i dont even own GTA5) when i clicked on it, i was like meh, and just let it there in my Downloads folder as ZIP file. after i found out about this, i immediatly went and deleted the file and cleared my trashcan....does it install the malware when it still a ZIP/RAR file?

 

i tried to scan my PC for a Fade.exe or Init.exe and the only ones with those names i found are a few init files in games like legend of korra, DMC4, resident evil revelations, RE6, bully... but those were all like init,arc or init.bnk ... no init.exe

 

the only "fade" files i found are some fade.nft in bully...thats it. no Fade.exe

 

i scanned my downloads folder with both avira antivirus and it said its clean and im currently scanning it with superantispyware and malwarebytes

 

 

 

.there's also no fade or init in my temp folder

 

i really want to know if there's a chance i get the virus without extracting it out of the ZIP/RAR file. so i can go and change all my passwords.

 

 

No chance that you're affected. The virus-downloading script is only executed when the .asi file is inside GTA's root folder and you've run the game with the .asi inside. You're fine.

[TheMuffinManOP]

"can anyone help me, i accidentally downloaded the angry plane mod (i dont even own GTA5) when i clicked on it, i was like meh, and just let it there in my Downloads folder as ZIP file. after i found out about this, i immediatly went and deleted the file and cleared my trashcan....does it install the malware when it still a ZIP/RAR file?

 

i tried to scan my PC for a Fade.exe or Init.exe and the only ones with those names i found are a few init files in games like legend of korra, DMC4, resident evil revelations, RE6, bully... but those were all like init,arc or init.bnk ... no init.exe

 

the only "fade" files i found are some fade.nft in bully...thats it. no Fade.exe

 

i scanned my downloads folder with both avira antivirus and it said its clean and im currently scanning it with superantispyware and malwarebytes

 

 

 

.there's also no fade or init in my temp folder

 

i really want to know if there's a chance i get the virus without extracting it out of the ZIP/RAR file. so i can go and change all my passwords."

 

if you did not unrar it or not launch gta 5 you should be ok since it injected the viruses and malware / key loggers when you launched gta 5 change your passwords and run a few scans with malwarebytes an anti virus program

and try tdsskiller it scans for rootkits if you want even more try programs like adwcleaner, hitmanpro, rkill and roguekiller they are some of the best I have them all installed also when you launch after the scan it might ask for an email just put in your email and ignore the

email if you do not offers for the program. Go to " http://www.bleepingcomputer.com/download/windows/" and look at the most downloaded on the left as most downloaded / recommended programs that I have mentioned are there, Hope this helps

 

P.S I do not know why the text went while just click and highlight it you will see the text ( it tells you what programs people recommend )

 

Edited May 17, 2015 by TheMuffinManOP

[bocodamondo]

alright, i scanned my PC with malwarebytes too and it said its clean from any init or fade exe.

[handoverfist]

The value in the registry made the virus start up again at each boot.

Better check your temp folders and quarantine to be safe.

Which file?

Also if it re-downloaded that means you didn't clean it out well enough.

[MarshallRawR]

Which file?

 

Also if it re-downloaded that means you didn't clean it out well enough.

 

 

That was set to Fade.exe.

Even if the registry was not infected, the initial run of Fade.exe might have happened.

 

 

 

Hello there I was wondering if someone could help me. Can you test and see if this link is safe to download? Are there any viruses, malware or anything bad in there?

 

Thanks

 

This is a hack for GTA Online which is not allowed here.

Reported to remove the link, be carefull next time or you might get a sanction from mods.

Also, it'll get you banned anyway.

Edited May 17, 2015 by MarshallRawR

[T34B4G]

 

 

This is a hack for GTA Online which is not allowed here.

Reported to remove the link, be carefull next time or you might get a sanction from mods.

Also, it'll get you banned anyway.

 

sh*t sorry I didn't realize

[TheMuffinManOP]

for some random reason silent wants me to post here. so no one will see this post but I will do as he said ( post) :hey guys I removed everything such as shell in the regedit and all the files and stuff I went as far as to reinstall gta 5 but I found a shell folder in regedit and deleted it I also found a file called "*" (yes a * )

but I think I went to far as after doing some research this was added by windows I have backups and restore points so it is nothing huge and I really want to re install windows but I really do not want to start again after having this pc like 10 months of having it but I am only 50 % sure I am safe I have changed most in portent passwords such as youtube twitch facebook paypal and rockstar steam and the rest but I re installed gta 5 and it launched in windowed mode witch was strange I wish I checked my processes but I can't remember doing so but the fade folder in regedit so I deleted it again and rebooted 2 times and it has not returned. for the people saying about the "leep" and "fade" in the regedit I only installed the noclip mod and it seems the files where added on the same date as every one else "5/5/2015" on the 5 of may witch seems weird and I only had fade and no leep witch people said "leep" was part of the noclip mod let me know where to look for this "leep" sh*t too please, thanks Extra stuff:

the real kicker is that I wanted to start gta modding in gta 5 and I started then I heard the news about all this f*ckery with the malware this really will hit the community hard since I am not even going to download a mod. until it has been like 110 % confirmed to be real by tons of people and youtubers as such rockstar should touch on it even though they do not really approve for modding in gta 5 it should be talked about wont be surprised if rockstar said "I told you so" I still think there is that 1 person out there that has not heard the news and I have been in contact with malwarebytes since It did not detect it I just hope this comes to light even more than it has.

[G0nx4]

for some random reason silent wants me to post here. so no one will see this post but I will do as he said ( post) :hey guys I removed everything such as shell in the regedit and all the files and stuff I went as far as to reinstall gta 5 but I found a shell folder in regedit and deleted it I also found a file called "*" (yes a * )

but I think I went to far as after doing some research this was added by windows I have backups and restore points so it is nothing huge and I really want to re install windows but I really do not want to start again after having this pc like 10 months of having it but I am only 50 % sure I am safe I have changed most in portent passwords such as youtube twitch facebook paypal and rockstar steam and the rest but I re installed gta 5 and it launched in windowed mode witch was strange I wish I checked my processes but I can't remember doing so but the fade folder in regedit so I deleted it again and rebooted 2 times and it has not returned. for the people saying about the "leep" and "fade" in the regedit I only installed the noclip mod and it seems the files where added on the same date as every one else "5/5/2015" on the 5 of may witch seems weird and I only had fade and no leep witch people said "leep" was part of the noclip mod let me know where to look for this "leep" sh*t too please, thanks Extra stuff:

the real kicker is that I wanted to start gta modding in gta 5 and I started then I heard the news about all this f*ckery with the malware this really will hit the community hard since I am not even going to download a mod. until it has been like 110 % confirmed to be real by tons of people and youtubers as such rockstar should touch on it even though they do not really approve for modding in gta 5 it should be talked about wont be surprised if rockstar said "I told you so" I still think there is that 1 person out there that has not heard the news and I have been in contact with malwarebytes since It did not detect it I just hope this comes to light even more than it has

As I know there were different noclip mods, so it should be that some mods had leep and others had fade. In my case I just got fade from noclip mod.

[ffzero58]

If folks are still worried about what is lurking in your autorun, download this sysinternals tool:

 

https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

 

 

It will enumerate all of the items that will start with Windows.

 

Process Explorer and TCPView are also good tools to see if there is still suspicious activity going on.

[FlyingAce]

If folks are still worried about what is lurking in your autorun, download this sysinternals tool:

 

https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

 

 

It will enumerate all of the items that will start with Windows.

 

Process Explorer and TCPView are also good tools to see if there is still suspicious activity going on.

what do red and yellow highlights mean?

[ffzero58]

 

If folks are still worried about what is lurking in your autorun, download this sysinternals tool:

 

https://technet.microsoft.com/en-us/sysinternals/bb963902.aspx

 

 

It will enumerate all of the items that will start with Windows.

 

Process Explorer and TCPView are also good tools to see if there is still suspicious activity going on.

what do red and yellow highlights mean?

 

 

Red: unsigned image (not signed by any recognized authority - if any)

Yellow: missing image (the file the entry is pointing to is missing from the filesystem)

Edited May 18, 2015 by ffzero58

[TheMuffinManOP]

 

for some random reason silent wants me to post here. so no one will see this post but I will do as he said ( post) :hey guys I removed everything such as shell in the regedit and all the files and stuff I went as far as to reinstall gta 5 but I found a shell folder in regedit and deleted it I also found a file called "*" (yes a * )

but I think I went to far as after doing some research this was added by windows I have backups and restore points so it is nothing huge and I really want to re install windows but I really do not want to start again after having this pc like 10 months of having it but I am only 50 % sure I am safe I have changed most in portent passwords such as youtube twitch facebook paypal and rockstar steam and the rest but I re installed gta 5 and it launched in windowed mode witch was strange I wish I checked my processes but I can't remember doing so but the fade folder in regedit so I deleted it again and rebooted 2 times and it has not returned. for the people saying about the "leep" and "fade" in the regedit I only installed the noclip mod and it seems the files where added on the same date as every one else "5/5/2015" on the 5 of may witch seems weird and I only had fade and no leep witch people said "leep" was part of the noclip mod let me know where to look for this "leep" sh*t too please, thanks Extra stuff:

the real kicker is that I wanted to start gta modding in gta 5 and I started then I heard the news about all this f*ckery with the malware this really will hit the community hard since I am not even going to download a mod. until it has been like 110 % confirmed to be real by tons of people and youtubers as such rockstar should touch on it even though they do not really approve for modding in gta 5 it should be talked about wont be surprised if rockstar said "I told you so" I still think there is that 1 person out there that has not heard the news and I have been in contact with malwarebytes since It did not detect it I just hope this comes to light even more than it has

As I know there were different noclip mods, so it should be that some mods had leep and others had fade. In my case I just got fade from noclip mod.

 

well I just had fade too man that sucks I didn't even use noclip only the occasional looking behind a wall for like an easter egg, oh well, thanks for the reply

alright, i scanned my PC with malwarebytes too and it said its clean from any init or fade exe.

I recommend more programs since malwarebytes didn't detect it. all it did is detected a "hijack.shallA.gen" and another one I knew about this before this thing even happened I even uni-stalled gta 5 before this happened because I knew

it was gta 5 doing it since every time I run it it would be detected by malwarebytes but it did not completely remove it PLEASE go through the step by step removal guide in this main post and go here : http://www.reddit.com/r/techsupport/comments/33evdi/suggested_reading_official_malware_removal_guide/

to remove ALL malware from your pc. thanks

[TheMuffinManOP]

FOR ANY ONE ASKING FOR MORE HELP ON REMOVING MALWARE ( sorry for caps ) go here it is an official Reddit post on how to remove malware : http://www.reddit.com/r/techsupport/comments/33evdi/suggested_reading_official_malware_removal_guide/

 

hope this helps

[Microbots]

So I'm going through the basics of IDA and the relevant tutorials on youtube. In one of them, it says that you can see the importsand what they use like using like networking.

 

Now I have no idea what ASI files need or how they work when they download viruses. But did Angry Planes mod need that import and would it show up on IDA?

[Prolifikk]

Did it affect windows 8.1 users?

 

I can't find any of the exe files. But I did find one .z file in temp that appeared to be unnamed and had a winrar icon.

[MarshallRawR]

Did it affect windows 8.1 users?

 

I can't find any of the exe files. But I did find one .z file in temp that appeared to be unnamed and had a winrar icon.

 

Of course it affected 8.1 users, pretty much any PC running GTAV with the mod.

Look at your antivirus's quarantine, it might be there already. Also, check the registry. Good luck, pal.

[Eagle1001]

Is it possible it stole files and is it possible it copied to other harddrives and infected those .exe files?

[ffzero58]

Is it possible it stole files and is it possible it copied to other harddrives and infected those .exe files?

 

Yes. The virus stole session/saved passwords of social media sites, steam, etc... It also logged your keystrokes and did all sorts of debauchery on your system. As for your latter question, it does not look like that is the case. Even so, look through your autoruns to see if you have any suspicious entries.

[EddieThePro]

So after everything with the viruses, can someone scan the "Ped Riot/Chaos Mode" mod? Link: https://www.gta5-mods.com/scripts/ped-riot-chaos-mode(gta5-mods.com)

 

If someone wants this removed, i'll remove it instantly

Edited May 18, 2015 by EddieThePro